A newly discovered variant of the Satori botnet is targeting computers dedicated to mining cryptocurrency to steal Ethereum coins by exploiting a flaw in the Claymore Miner software, researchers have reported.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The ethereum-stealing version of Satori, dubbed Satori.Coin.Robber, appeared on 8 January 2018 and is designed to replace the wallet address for collecting the newly minted cryptocurrency with an address controlled by the botnet operator, according to researchers from China-based Qihoo Netlab 360.

To make the switch, the Satori malware accesses the cryptocurrency mining computer via port 3333 that runs Claymore Miner software, and once the wallet switch is made, all coins generated by the infected computer are channelled into the attacker’s wallet.

The pay record connected to the botnet showed the Satori variant was still actively mining at the time of writing.

According to the researchers, the botnet owns an average calculation power of 1606 MH/s and is capable of accumulating 0.1733 ethereum coins (£123) in 24 hours.

Satori.Coin.Robber works “primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config),” the researchers said. “To prevent potential abuse, we will not discuss details.”

Analysis of the botnet code revealed similarities with the original Satori, including similar code structures, encrypted configurations, similar configuration strings, and the same payload.

However, the new variant also comes with a payload targeting the Claymore Miner that features an asynchronous network connection method and enables a new set of command and control communication protocols.

Researchers noted that the author behind Satori.Coin.Robber has claimed the code is not malicious, and has even left an email address behind.

“Satori dev here, don’t be alarmed about this bot. It does not have any malicious packeting purposes, move along,” the message reads, followed by an email address.

News of the Satori cryptocurrency-stealing variant comes less than a month after the code for a Huawei router exploit, which was used by the Satori botnet, was posted online.

In December 2017, security researchers warned that Satori had been used to hijack around 100,000 home routers in just 12 hours, warning that the botnet could unleash internet-crippling attacks at any time. The warning sparked a fresh call for manufacturers of internet of things (IoT) devices to do more to ensure they cannot be hijacked for malicious purposes.

However, in reporting Satori.Coin.Robber, the Qihoo Netlab 360 researchers said Satori was under control due to the quick actions of the security community to sinkhole its command and control communications.

“The spread of this new botnet has been temporarily halted, but the threat still remains,” they warned.

The migration of Satori from IoT devices to cryptocurrency miners is in line with other cyber crime operations switching their attention to cryptocurrencies as they gain in popularity and value.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy